Application configuration
- In Okta admin dashboard, create a new application (or use an existing one):
2. Choose SAML2
3. Follow the creation steps using values relevant to your environment
4. Enable SCIM provisioning
5. Go to Provisioning > Edit and enter the following information:
- SCIM connector base URL: <Env IdP URL>/api/scim/v2/
- Unique identifier field for users: userName
- Supported provisioning actions:
- Push New Users
- Push Profile Updates
- Authentication Mode: HTTP Header
- Authorization: use the token from the organization settings page
6. Click on Test Connector Configuration before saving to make sure that everything works as expected
Your application is now created and SCIM is enabled. Let’s review the different available resource sync in the following sections.
User sync
This guide assumes that you already have users in your directory. They can be created in Directory > People.
- First, let’s enable user sync in the application (direction Okta → Application)
2. Go to “Assignments” and assign your first user
A few fields must be set: username, given and family name, and email
3. The user should be added to the assignments table without error
4. The user should have been created in the CodeSignal organization dashboard with the organization default role (either as a member or an invitation, depending on the set-up.
That’s it! User sync is set up. Other changes such as name updates or removal should be synced as well.
Team sync
Groups and assignments can be managed in Okta in Directory > Groups. For testing purposes, create a couple from there prior to following this guide.
- Make sure that team management through SCIM is enabled (see this section entitled, "Principle: Team management via SCIM" in this article).
- Enable groups sync in Okta
3. It adds a new “Push Groups” tab, let’s assign a group to our application
4. The group should have been added without error in Okta application dashboard
5. The team should have been created in CodeSignal organization dashboard
6. Assign a synced user to the group to assign them to the team in the organization dashboard
Both the user and the group must be assigned to the application. Just adding a group won’t be enough, non assigned users within that group will not be provisioned.
7. The team should have been assigned in CodeSignal dashboard.
Role sync
- Make sure that role management through SCIM is enabled (see the section entitled, "Principle: Role management via SCIM" in this article).
- Create custom role field in Okta user profile to store the CodeSignal role key
The only requirement here is to use a Data type string and permission Read-Write. Example:
3. A profile should have been automatically created for your application. e.g.
4. Create a custom attribute in your application’s profile editor
- Data type: string
- Display name: any string (e.g. Role)
- Variable name: any string (e.g. app_role)
- External name MUST be: roles.^[primary==true].value This means that the SCIM payload will be formatted with:
{
...
roles: [
{
value: '<mapped value>',
primary: true,
}
]
}
- External namespace MUST be: urn:ietf:params:scim:schemas:core:2.0:User It means that it’s a standard field of the User SCIM core schema
- Other settings are optional. Using an enum can be more user-friendly.
Example:
5. In the profile editor page, map Okta custom field with our application field
a. In [app] to Okta User, select your newly created attribute to populate the Okta user attribute. Don’t forget to save.
b. In Okta User to [app], select the custom Okta User attribute to populate the app attribute. Don’t forget to save again.
6. Back to our application page, let’s set a role to our assigned user. Note: an existing CodeSignal role key must be used.
Role keys for custom roles can be retrieved from the CodeSignal dashboard URL
7. The user role should have been updated in CodeSignal dashboard.
Note: Natively importing existing users from CodeSignal into Okta is not supported. You can export users into CSV and import them into Okta manually.